Wednesday, December 14, 2011

WhatsApp Xtract

I don’t want to bore you explaining what is WhatsApp. If you have this serious gap, you can fill it here.  Forensically speaking, WhatsApp was a very cool app until the last June. After that, someone had decided to add the extension “crypt” to such excellent source of information which was msgstore.db.

This database stores information about contacts and also entire conversations. But simply opening it with SQLite Browser, you can have some troubles in extracting a single chat session with a desired contact, or in reordering the messages. My last python script wants to overcome these problems, avoiding to deal with complex SQL queries.

Now, you need only to decrypt that file! Go to the repo.

Exif Summarizer

Exif metadata are wonderful.
Just think about all the fields listed in the Exif standard: a great bunch of information is available for each image. When the picture was taken? And where? And what camera was used? And what were the f-stop and exposure settings? And who was the photographer? ... damn! Why the author field is always empty?
Anyway...Exif metadata are definitely marvelous.
The problem is that commonly, pictures and related metadata are too numerous and this prevents an efficient inspection of the files during a digital investigation.
So there is a need of aggregation of the information: for the picture content the problem is hard, also using machine learning algorithms. But in the case of metadata, a smart way to show them can alone lead to evidence discovery, or at least to form a suspicion!

And that is what EXIF summarizer tries to do: given a directory (the root directory is fine), it recursively scans all the folders, reads the EXIFs and composes a table with all the found cameras used to take the pictures, and the usage time intervals, based on the Photo.DateTimeOriginal  field. The obtained report could be for example useful to easily detect the cameras or the phones which are most used by the person under investigation.
The only requirement is to download and install the pyexiv2 module.
Then, simply run the script giving it the desired options:

-i <directory_to_scan> (mandatory)
-o <out_file_name>
-r to enable the recursion into the directories
-c to obtain a csv output
-w to obtain an html output (recommended)
-f to create a list of the photos for each camera in the html report

Special thanks to Joost de Valk for the sort-table javascript!